<!DOCTYPE html><html class=split lang=en-US-x-hixie><script src=../link-fixup.js defer=""></script>
<!-- Mirrored from html.spec.whatwg.org/dev/webstorage.html by HTTrack Website Copier/3.x [XR&CO'2014], Wed, 10 Sep 2025 08:36:28 GMT -->
<!-- Added by HTTrack --><meta http-equiv="content-type" content="text/html;charset=utf-8" /><!-- /Added by HTTrack -->
<meta charset=utf-8><meta content="width=device-width, initial-scale=1, shrink-to-fit=no" name=viewport><title>HTML Standard, Edition for Web Developers</title><meta content=#3c790a name=theme-color><meta content="light dark" name=color-scheme><link rel=stylesheet href=../../resources.whatwg.org/standard-shared-with-dev.css crossorigin=""><link rel=icon href=https://resources.whatwg.org/logo.svg crossorigin=""><link rel=stylesheet href=styles.css crossorigin=""><script>
   function toggleStatus(div) {
     div.parentNode.classList.toggle('wrapped');
   }
   function setLinkFragment(link) {
     link.hash = location.hash;
   }
  </script><body>
  <script async="" src=search.js></script>
  
  
  <header id=head class="head with-buttons">
   <a href=https://whatwg.org/ class=logo><img width=100 alt=WHATWG crossorigin="" class=darkmode-aware src=https://resources.whatwg.org/logo.svg height=100></a>
   
   <hgroup><h1><a rel=home href=index.html>HTML: The Living Standard</a></h1><p id=dev-edition-h2>Edition for Web Developers — Last Updated <span class=pubdate>10 September 2025</span></hgroup>
   

   <div id=search>
    <input placeholder="Search. Press '/'" autocomplete=off name=query id=query type=search>
    <ol id=results></ol>
   </div>
  </header>

  

  

  

  
  

  
  

  

  <nav><a href=worklets.html>← 11 Worklets</a> — <a href=index.html>Table of Contents</a> — <a href=syntax.html>13 The HTML syntax →</a></nav><ol class=toc><li><a href=webstorage.html#webstorage><span class=secno>12</span> Web storage</a><ol><li><a href=webstorage.html#introduction-14><span class=secno>12.1</span> Introduction</a><li><a href=webstorage.html#storage><span class=secno>12.2</span> The API</a><ol><li><a href=webstorage.html#the-storage-interface><span class=secno>12.2.1</span> The <code>Storage</code> interface</a><li><a href=webstorage.html#the-sessionstorage-attribute><span class=secno>12.2.2</span> The <code>sessionStorage</code> getter</a><li><a href=webstorage.html#the-localstorage-attribute><span class=secno>12.2.3</span> The <code>localStorage</code> getter</a><li><a href=webstorage.html#the-storageevent-interface><span class=secno>12.2.4</span> The <code>StorageEvent</code> interface</a></ol><li><a href=webstorage.html#privacy><span class=secno>12.3</span> Privacy</a><ol><li><a href=webstorage.html#user-tracking><span class=secno>12.3.1</span> User tracking</a></ol><li><a href=webstorage.html#security-storage><span class=secno>12.4</span> Security</a><ol><li><a href=webstorage.html#dns-spoofing-attacks><span class=secno>12.4.1</span> DNS spoofing attacks</a><li><a href=webstorage.html#cross-directory-attacks><span class=secno>12.4.2</span> Cross-directory attacks</a></ol></ol></ol><h2 id=webstorage><span class=secno>12</span> Web storage<a href=#webstorage class=self-link></a></h2><div class="mdn-anno wrapped"><button onclick=toggleStatus(this) class=mdn-anno-btn><b title="Support in all current engines." class=all-engines-flag>✔</b><span>MDN</span></button><div class=feature><p><a href=https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API title="The Web Storage API provides mechanisms by which browsers can store key/value pairs, in a much more intuitive fashion than using cookies.">Web_Storage_API</a><p class=all-engines-text>Support in all current engines.<div class=support><span class="firefox yes"><span>Firefox</span><span>3.5+</span></span><span class="safari yes"><span>Safari</span><span>4+</span></span><span class="chrome yes"><span>Chrome</span><span>4+</span></span><hr><span class="opera yes"><span>Opera</span><span>10.5+</span></span><span class="edge_blink yes"><span>Edge</span><span>79+</span></span><hr><span class="edge yes"><span>Edge (Legacy)</span><span>12+</span></span><span class="ie yes"><span>Internet Explorer</span><span>8+</span></span><hr><span class="firefox_android yes"><span>Firefox Android</span><span>6+</span></span><span class="safari_ios unknown"><span>Safari iOS</span><span>?</span></span><span class="chrome_android unknown"><span>Chrome Android</span><span>?</span></span><span class="webview_android yes"><span>WebView Android</span><span>37+</span></span><span class="samsunginternet_android unknown"><span>Samsung Internet</span><span>?</span></span><span class="opera_android yes"><span>Opera Android</span><span>11+</span></span></div></div><div class=feature><p><a href=https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API/Using_the_Web_Storage_API title="The Web Storage API provides mechanisms by which browsers can securely store key/value pairs.">Web_Storage_API/Using_the_Web_Storage_API</a></div></div>

  <h3 id=introduction-14><span class=secno>12.1</span> Introduction<a href=#introduction-14 class=self-link></a></h3>

  

  <p>This specification introduces two related mechanisms, similar to HTTP session cookies, for
  storing name-value pairs on the client side. <a href=references.html#refsCOOKIES>[COOKIES]</a></p>

  <p>The first is designed for scenarios where the user is carrying out a single transaction, but
  could be carrying out multiple transactions in different windows at the same time.</p>

  <p>Cookies don't really handle this case well. For example, a user could be buying plane tickets
  in two different windows, using the same site. If the site used cookies to keep track of which
  ticket the user was buying, then as the user clicked from page to page in both windows, the ticket
  currently being purchased would "leak" from one window to the other, potentially causing the user
  to buy two tickets for the same flight without noticing.</p>

  <p>To address this, this specification introduces the <code id=introduction-14:dom-sessionstorage><a href=#dom-sessionstorage>sessionStorage</a></code> getter. Sites can add data to the session
  storage, and it will be accessible to any page from the same site opened in that window.</p>

  <div class=example>
   <p>For example, a page could have a checkbox that the user ticks to
   indicate that they want insurance:</p>

   <pre><code class='html'><c- p>&lt;</c-><c- f>label</c-><c- p>&gt;</c->
 <c- p>&lt;</c-><c- f>input</c-> <c- e>type</c-><c- o>=</c-><c- s>&quot;checkbox&quot;</c-> <c- e>onchange</c-><c- o>=</c-><c- s>&quot;sessionStorage.insurance = checked ? &apos;true&apos; : &apos;&apos;&quot;</c-><c- p>&gt;</c->
  I want insurance on this trip.
<c- p>&lt;/</c-><c- f>label</c-><c- p>&gt;</c-></code></pre>

   <p>A later page could then check, from script, whether the user had checked the checkbox or
   not:</p>

   <pre><code class='js'><c- k>if</c-> <c- p>(</c->sessionStorage<c- p>.</c->insurance<c- p>)</c-> <c- p>{</c-> <c- p>...</c-> <c- p>}</c-></code></pre>

   <p>If the user had multiple windows opened on the site, each one would have its own individual
   copy of the session storage object.</p>
  </div>

  

  <p>The second storage mechanism is designed for storage that spans multiple windows, and lasts
  beyond the current session. In particular, web applications might wish to store megabytes of user
  data, such as entire user-authored documents or a user's mailbox, on the client side for
  performance reasons.</p>

  <p>Again, cookies do not handle this case well, because they are transmitted with every
  request.</p>

  <p>The <code id=introduction-14:dom-localstorage><a href=#dom-localstorage>localStorage</a></code> getter is used to access a page's local
  storage area.</p>

  <div class=example>
   <p>The site at example.com can display a count of how many times the user has loaded its page by
   putting the following at the bottom of its page:</p>

   <pre><code class='html'><c- p>&lt;</c-><c- f>p</c-><c- p>&gt;</c->
  You have viewed this page
  <c- p>&lt;</c-><c- f>span</c-> <c- e>id</c-><c- o>=</c-><c- s>&quot;count&quot;</c-><c- p>&gt;</c->an untold number of<c- p>&lt;/</c-><c- f>span</c-><c- p>&gt;</c->
  time(s).
<c- p>&lt;/</c-><c- f>p</c-><c- p>&gt;</c->
<c- p>&lt;</c-><c- f>script</c-><c- p>&gt;</c->
  <c- k>if</c-> <c- p>(</c-><c- o>!</c->localStorage<c- p>.</c->pageLoadCount<c- p>)</c->
    localStorage<c- p>.</c->pageLoadCount <c- o>=</c-> <c- mf>0</c-><c- p>;</c->
  localStorage<c- p>.</c->pageLoadCount <c- o>=</c-> parseInt<c- p>(</c->localStorage<c- p>.</c->pageLoadCount<c- p>)</c-> <c- o>+</c-> <c- mf>1</c-><c- p>;</c->
  document<c- p>.</c->getElementById<c- p>(</c-><c- t>&apos;count&apos;</c-><c- p>).</c->textContent <c- o>=</c-> localStorage<c- p>.</c->pageLoadCount<c- p>;</c->
<c- p>&lt;/</c-><c- f>script</c-><c- p>&gt;</c-></code></pre>
  </div>

  <p>Each site has its own separate storage area.</p>

  <p class=warning>The <code id=introduction-14:dom-localstorage-2><a href=#dom-localstorage>localStorage</a></code> getter provides access
  to shared state. This specification does not define the interaction with other agent clusters
  in a multiprocess user agent, and authors are encouraged to assume that there is no locking
  mechanism. A site could, for instance, try to read the value of a key, increment its value, then
  write it back out, using the new value as a unique identifier for the session; if the site does
  this twice in two different browser windows at the same time, it might end up using the same
  "unique" identifier for both sessions, with potentially disastrous effects.</p>




  <h3 id=storage><span class=secno>12.2</span> The API<a href=#storage class=self-link></a></h3><div class="mdn-anno wrapped"><button onclick=toggleStatus(this) class=mdn-anno-btn><b title="Support in all current engines." class=all-engines-flag>✔</b><span>MDN</span></button><div class=feature><p><a href=https://developer.mozilla.org/en-US/docs/Web/API/Storage title="The Storage interface of the Web Storage API provides access to a particular domain's session or local storage. It allows, for example, the addition, modification, or deletion of stored data items.">Storage</a><p class=all-engines-text>Support in all current engines.<div class=support><span class="firefox yes"><span>Firefox</span><span>3.5+</span></span><span class="safari yes"><span>Safari</span><span>4+</span></span><span class="chrome yes"><span>Chrome</span><span>4+</span></span><hr><span class="opera yes"><span>Opera</span><span>10.5+</span></span><span class="edge_blink yes"><span>Edge</span><span>79+</span></span><hr><span class="edge yes"><span>Edge (Legacy)</span><span>12+</span></span><span class="ie yes"><span>Internet Explorer</span><span>8+</span></span><hr><span class="firefox_android yes"><span>Firefox Android</span><span>6+</span></span><span class="safari_ios unknown"><span>Safari iOS</span><span>?</span></span><span class="chrome_android unknown"><span>Chrome Android</span><span>?</span></span><span class="webview_android yes"><span>WebView Android</span><span>37+</span></span><span class="samsunginternet_android unknown"><span>Samsung Internet</span><span>?</span></span><span class="opera_android yes"><span>Opera Android</span><span>11+</span></span></div></div></div>

  <h4 id=the-storage-interface><span class=secno>12.2.1</span> The <code>Storage</code> interface<a href=#the-storage-interface class=self-link></a></h4>

  

  <dl class=domintro><dt><code><var>storage</var>.<span id=dom-storage-length>length</span></code><dd><p>Returns the number of key/value pairs.<dt><code><var>storage</var>.<span id=dom-storage-key>key</span> (<var>n</var>)</code><dd><p>Returns the name of the <var>n</var>th key, or null if <var>n</var> is greater than or
   equal to the number of key/value pairs.<dt><code><var>value</var> = <var>storage</var>.<span id=dom-storage-getitem>getItem</span> (<var>key</var>)</code><dt><code><var>value</var> = <var>storage</var>[<var>key</var>]</code><dd><p>Returns the current value associated with the given <var>key</var>, or null if the given
   <var>key</var> does not exist.<dt><code><var>storage</var>.<span id=dom-storage-setitem>setItem</span> (<var>key</var>, <var>value</var>)</code><dt><code><var>storage</var>[<var>key</var>] = <var>value</var></code><dd>
    <p>Sets the value of the pair identified by <var>key</var> to <var>value</var>, creating a new
    key/value pair if none existed for <var>key</var> previously.</p>

    <p>Throws a <a id=the-storage-interface:quotaexceedederror href=https://webidl.spec.whatwg.org/#quotaexceedederror data-x-internal=quotaexceedederror>"<code>QuotaExceededError</code>"</a> <code id=the-storage-interface:domexception><a data-x-internal=domexception href=https://webidl.spec.whatwg.org/#dfn-DOMException>DOMException</a></code>
    if the new value couldn't be set. (Setting could fail if, e.g., the user has disabled storage
    for the site, or if the quota has been exceeded.)</p>

    <p>Dispatches a <code id=the-storage-interface:event-storage><a href=indices.html#event-storage>storage</a></code> event on <code>Window</code> objects
    holding an equivalent <code>Storage</code> object.</p>
   <dt><code><var>storage</var>.<span id=dom-storage-removeitem>removeItem</span> (<var>key</var>)</code><dt><code id=the-storage-interface:delete><a data-x-internal=delete href=https://tc39.es/ecma262/#sec-delete-operator>delete</a></code> <var>storage</var>[<var>key</var>]<dd>
    <p>Removes the key/value pair with the given <var>key</var>, if a key/value pair with the given
    <var>key</var> exists.</p>

    <p>Dispatches a <code id=the-storage-interface:event-storage-2><a href=indices.html#event-storage>storage</a></code> event on <code>Window</code> objects
    holding an equivalent <code>Storage</code> object.</p>
   <dt><code><var>storage</var>.<span id=dom-storage-clear>clear</span>()</code><dd>
    <p>Removes all key/value pairs, if there are any.</p>

    <p>Dispatches a <code id=the-storage-interface:event-storage-3><a href=indices.html#event-storage>storage</a></code> event on <code>Window</code> objects
    holding an equivalent <code>Storage</code> object.</p>
   </dl>

  


  <h4 id=the-sessionstorage-attribute><span class=secno>12.2.2</span> The <code id=the-sessionstorage-attribute:dom-sessionstorage><a href=#dom-sessionstorage>sessionStorage</a></code> getter<a href=#the-sessionstorage-attribute class=self-link></a></h4>

  

  <dl class=domintro><dt><code><var>window</var>.<span id=dom-sessionstorage>sessionStorage</span></code><dd>
    <p>Returns the <code>Storage</code> object associated with that <var>window</var>'s origin's
    session storage area.</p>

    <p>Throws a <a id=the-sessionstorage-attribute:securityerror href=https://webidl.spec.whatwg.org/#securityerror data-x-internal=securityerror>"<code>SecurityError</code>"</a> <code id=the-sessionstorage-attribute:domexception><a data-x-internal=domexception href=https://webidl.spec.whatwg.org/#dfn-DOMException>DOMException</a></code> if the
    <code>Document</code>'s <a href=https://dom.spec.whatwg.org/#concept-document-origin id=the-sessionstorage-attribute:concept-document-origin data-x-internal=concept-document-origin>origin</a> is an <a href=browsers.html#concept-origin-opaque id=the-sessionstorage-attribute:concept-origin-opaque>opaque origin</a> or if the request violates a policy decision
    (e.g., if the user agent is configured to not allow the page to persist data).</p>
   </dl>

  


  <h4 id=the-localstorage-attribute><span class=secno>12.2.3</span> The <code id=the-localstorage-attribute:dom-localstorage><a href=#dom-localstorage>localStorage</a></code> getter<a href=#the-localstorage-attribute class=self-link></a></h4>

  


  <dl class=domintro><dt><code><var>window</var>.<span id=dom-localstorage>localStorage</span></code><dd>
    <p>Returns the <code>Storage</code> object associated with <var>window</var>'s origin's local
    storage area.</p>

    <p>Throws a <a id=the-localstorage-attribute:securityerror href=https://webidl.spec.whatwg.org/#securityerror data-x-internal=securityerror>"<code>SecurityError</code>"</a> <code id=the-localstorage-attribute:domexception><a data-x-internal=domexception href=https://webidl.spec.whatwg.org/#dfn-DOMException>DOMException</a></code> if the
    <code>Document</code>'s <a href=https://dom.spec.whatwg.org/#concept-document-origin id=the-localstorage-attribute:concept-document-origin data-x-internal=concept-document-origin>origin</a> is an <a href=browsers.html#concept-origin-opaque id=the-localstorage-attribute:concept-origin-opaque>opaque origin</a> or if the request violates a policy decision
    (e.g., if the user agent is configured to not allow the page to persist data).</p>
   </dl>

  


  <h4 id=the-storageevent-interface><span class=secno>12.2.4</span> The <code>StorageEvent</code> interface<a href=#the-storageevent-interface class=self-link></a></h4><div class="mdn-anno wrapped"><button onclick=toggleStatus(this) class=mdn-anno-btn><b title="Support in all current engines." class=all-engines-flag>✔</b><span>MDN</span></button><div class=feature><p><a href=https://developer.mozilla.org/en-US/docs/Web/API/StorageEvent title="The StorageEvent interface is implemented by the storage event, which is sent to a window when a storage area the window has access to is changed within the context of another document.">StorageEvent</a><p class=all-engines-text>Support in all current engines.<div class=support><span class="firefox yes"><span>Firefox</span><span>13+</span></span><span class="safari yes"><span>Safari</span><span>4+</span></span><span class="chrome yes"><span>Chrome</span><span>1+</span></span><hr><span class="opera yes"><span>Opera</span><span>12.1+</span></span><span class="edge_blink yes"><span>Edge</span><span>79+</span></span><hr><span class="edge yes"><span>Edge (Legacy)</span><span>12+</span></span><span class="ie yes"><span>Internet Explorer</span><span>9+</span></span><hr><span class="firefox_android unknown"><span>Firefox Android</span><span>?</span></span><span class="safari_ios yes"><span>Safari iOS</span><span>3+</span></span><span class="chrome_android unknown"><span>Chrome Android</span><span>?</span></span><span class="webview_android yes"><span>WebView Android</span><span>37+</span></span><span class="samsunginternet_android unknown"><span>Samsung Internet</span><span>?</span></span><span class="opera_android yes"><span>Opera Android</span><span>12.1+</span></span></div></div></div>

  

  <dl class=domintro><dt><code><var>event</var>.<span id=dom-storageevent-key>key</span></code><dd><p>Returns the key of the storage item being changed.<dt><code><var>event</var>.<span id=dom-storageevent-oldvalue>oldValue</span></code><dd><p>Returns the old value of the key of the storage item whose value is being
   changed.<dt><code><var>event</var>.<span id=dom-storageevent-newvalue>newValue</span></code><dd><p>Returns the new value of the key of the storage item whose value is being
   changed.<dt><code><var>event</var>.<span id=dom-storageevent-url>url</span></code><dd><p>Returns the <a href=https://dom.spec.whatwg.org/#concept-document-url id="the-storageevent-interface:the-document's-address" data-x-internal="the-document's-address">URL</a> of the document whose storage
   item changed.<dt><code><var>event</var>.<span id=dom-storageevent-storagearea>storageArea</span></code><dd><p>Returns the <code>Storage</code> object that was affected.</dl>

  


  <h3 id=privacy><span class=secno>12.3</span> Privacy<a href=#privacy class=self-link></a></h3>

  <h4 id=user-tracking><span class=secno>12.3.1</span> User tracking<a href=#user-tracking class=self-link></a></h4>

  <p>A third-party advertiser (or any entity capable of getting content distributed to multiple
  sites) could use a unique identifier stored in its local storage area to track a user across
  multiple sessions, building a profile of the user's interests to allow for highly targeted
  advertising. In conjunction with a site that is aware of the user's real identity (for example an
  e-commerce site that requires authenticated credentials), this could allow oppressive groups to
  target individuals with greater accuracy than in a world with purely anonymous web usage.</p>

  <p>There are a number of techniques that can be used to mitigate the risk of user tracking:</p>

  <dl><dt>Blocking third-party storage<dd>
    <p>User agents may restrict access to the <code id=user-tracking:dom-localstorage><a href=#dom-localstorage>localStorage</a></code>
    objects to scripts originating at the domain of the <a href=document-sequences.html#nav-document id=user-tracking:nav-document>active
    document</a> of the <a id=user-tracking:top-level-traversable href=document-sequences.html#top-level-traversable>top-level traversable</a>, for instance denying access to the
    API for pages from other domains running in <code id=user-tracking:the-iframe-element><a href=iframe-embed-object.html#the-iframe-element>iframe</a></code>s.</p>
   <dt>Expiring stored data<dd>
    <p>User agents may, possibly in a manner configured by the user, automatically delete stored
    data after a period of time.</p>

    <p>For example, a user agent could be configured to treat third-party local storage areas as
    session-only storage, deleting the data once the user had closed all the <a href=document-sequences.html#navigable id=user-tracking:navigable>navigables</a> that could access it.</p>

    <p>This can restrict the ability of a site to track a user, as the site would then only be able
    to track the user across multiple sessions when they authenticate with the site itself (e.g. by
    making a purchase or logging in to a service).</p>

    <p>However, this also reduces the usefulness of the API as a long-term storage mechanism. It can
    also put the user's data at risk, if the user does not fully understand the implications of data
    expiration.</p>
   <dt>Treating persistent storage as cookies<dd>
    <p>If users attempt to protect their privacy by clearing cookies without also clearing data
    stored in the local storage area, sites can defeat those attempts by using the two features as
    redundant backup for each other. User agents should present the interfaces for clearing these in
    a way that helps users to understand this possibility and enables them to delete data in all
    persistent storage features simultaneously. <a href=references.html#refsCOOKIES>[COOKIES]</a></p>
   <dt>Site-specific safelisting of access to local storage areas<dd>
    <p>User agents may allow sites to access session storage areas in
    an unrestricted manner, but require the user to authorize access
    to local storage areas.</p>
   <dt>Origin-tracking of stored data<dd>
    <p>User agents may record the <a href=browsers.html#concept-origin id=user-tracking:concept-origin>origins</a> of sites that contained
    content from third-party origins that caused data to be stored.</p>

    <p>If this information is then used to present the view of data currently in persistent storage,
    it would allow the user to make informed decisions about which parts of the persistent storage
    to prune. Combined with a blocklist ("delete this data and prevent this domain from ever storing
    data again"), the user can restrict the use of persistent storage to sites that they trust.</p>
   <dt>Shared blocklists<dd>
    <p>User agents may allow users to share their persistent storage domain blocklists.</p>

    <p>This would allow communities to act together to protect their privacy.</p>
   </dl>

  <p>While these suggestions prevent trivial use of this API for user tracking, they do not block it
  altogether. Within a single domain, a site can continue to track the user during a session, and
  can then pass all this information to the third party along with any identifying information
  (names, credit card numbers, addresses) obtained by the site. If a third party cooperates with
  multiple sites to obtain such information, a profile can still be created.</p>

  <p>However, user tracking is to some extent possible even with no cooperation from the user agent
  whatsoever, for instance by using session identifiers in URLs, a technique already commonly used
  for innocuous purposes but easily repurposed for user tracking (even retroactively). This
  information can then be shared with other sites, using visitors' IP addresses and other
  user-specific data (e.g. user-agent headers and configuration settings) to combine separate
  sessions into coherent user profiles.</p>

  


  <h3 id=security-storage><span class=secno>12.4</span> Security<a href=#security-storage class=self-link></a></h3>

  <h4 id=dns-spoofing-attacks><span class=secno>12.4.1</span> DNS spoofing attacks<a href=#dns-spoofing-attacks class=self-link></a></h4>

  <p>Because of the potential for DNS spoofing attacks, one cannot guarantee that a host claiming to
  be in a certain domain really is from that domain. To mitigate this, pages can use TLS. Pages
  using TLS can be sure that only the user, software working on behalf of the user, and other pages
  using TLS that have certificates identifying them as being from the same domain, can access their
  storage areas.</p>


  <h4 id=cross-directory-attacks><span class=secno>12.4.2</span> Cross-directory attacks<a href=#cross-directory-attacks class=self-link></a></h4>

  <p>Different authors sharing one host name, for example users hosting content on the now defunct
  <code>geocities.com</code>, all share one local storage object. There is no feature to
  restrict the access by pathname. Authors on shared hosts are therefore urged to avoid using these
  features, as it would be trivial for other authors to read the data and overwrite it.</p>

  <p class=note>Even if a path-restriction feature was made available, the usual DOM scripting
  security model would make it trivial to bypass this protection and access the data from any
  path.</p>


  



  <nav><a href=worklets.html>← 11 Worklets</a> — <a href=index.html>Table of Contents</a> — <a href=syntax.html>13 The HTML syntax →</a></nav>
